#### DMCA

## Reuse It Or Lose It: More Efficient Secure Computation Through Reuse of Encrypted Values

Citations: | 3 - 1 self |

### Citations

796 |
Protocols for Secure Computations
- Yao
- 1982
(Show Context)
Citation Context ... sS13. The sS13 cut-and-choose is required in our protocol so that the cloud can check that the generator creates the correct gates. 7. RELATEDWORK SFE was first described by Yao in his seminal paper =-=[39]-=- on the subject. The first general purpose platform for SFE, Fairplay [32], was created in 2004. Fairplay had both a compiler for creating garbled circuits, and a run-time system for executing them. C... |

232 |
Oblivious transfer and polynomial evaluation
- Naor, Pinkas
- 1999
(Show Context)
Citation Context ... the evaluator has inputx and inputy, then she can also receive outputi, and the encrypted truth tables are sent to her for evaluation. For the evaluator’s input, 1-out-of-2 oblivious transfers (OTs) =-=[1, 20, 34, 35]-=- are used. In a 1-out-of-2 OT, one party offers up two possible values while the other party selects one of the two values without learning the other. The party that offers up the two values does not ... |

221 |
Efficient oblivious transfer protocols
- Naor, Pinkas
- 2001
(Show Context)
Citation Context ... the evaluator has inputx and inputy, then she can also receive outputi, and the encrypted truth tables are sent to her for evaluation. For the evaluator’s input, 1-out-of-2 oblivious transfers (OTs) =-=[1, 20, 34, 35]-=- are used. In a 1-out-of-2 OT, one party offers up two possible values while the other party selects one of the two values without learning the other. The party that offers up the two values does not ... |

146 | FairplayMP: a system for secure multi-party computation
- Ben-David, Nisan, et al.
- 2008
(Show Context)
Citation Context ...th a compiler for creating garbled circuits, and a run-time system for executing them. Computations involving three or more parties have also been examined; one of the earliest examples is FairplayMP =-=[2]-=-. There have been multiple other implementations since, in both semi-honest [6, 9, 16, 17, 40] and malicious settings [26, 37]. Optimizations for garbled circuits include the free-XOR technique [25], ... |

122 |
Non-interactive oblivious transfer and applications
- Bellare, Micali
- 1990
(Show Context)
Citation Context ... the evaluator has inputx and inputy, then she can also receive outputi, and the encrypted truth tables are sent to her for evaluation. For the evaluator’s input, 1-out-of-2 oblivious transfers (OTs) =-=[1, 20, 34, 35]-=- are used. In a 1-out-of-2 OT, one party offers up two possible values while the other party selects one of the two values without learning the other. The party that offers up the two values does not ... |

119 | Faster secure two-party computation using garbled circuits
- Huang, Evans, et al.
- 2011
(Show Context)
Citation Context .... http://dx.doi.org/10.1145/2660267.2660285. was first introduced by Yao in the 1980s [39] and was largely a theoretical curiosity. Developments in recent years have made 2P-SFE vastly more efficient =-=[18, 27, 38]-=-. However, computing a function using SFE is still usually much slower than doing so in a non-privacy-preserving manner. As mobile devices become more powerful and ubiquitous, users expect more servic... |

116 | An efficient protocol for secure two-party computation in the presence of malicious adversaries - Lindell, Pinkas |

106 | Improved garbled circuit: Free XOR gates and applications
- Kolesnikov, Schneider
- 2008
(Show Context)
Citation Context ...d party, the cloud. Cloud – The cloud is the party that executes the garbled circuit outsourced by the evaluator. Notation Ci - The ith circuit. CKeyi - Circuit key used for the free XOR optimization =-=[25]-=-. The key is randomly generated and then used as the difference between the 0 and 1 wire labels for a circuit Ci. CSeedi - This value is created by the generator’s PRNG and is used to generate a parti... |

100 | Secure two-party computation is practical
- Pinkas, Schneider, et al.
- 2009
(Show Context)
Citation Context ...iple other implementations since, in both semi-honest [6, 9, 16, 17, 40] and malicious settings [26, 37]. Optimizations for garbled circuits include the free-XOR technique [25], garbled row reduction =-=[36]-=-, rewriting computations to minimize SFE [23], and pipelining [18]. Pipelining allows the evaluator to proceed with the computation while the generator is creating gates. KSS12 [27] included both an o... |

92 | Sharemind: A framework for fast privacy-preserving computations
- Bogdanov, Laur, et al.
- 2008
(Show Context)
Citation Context ...s of magnitude. PCF [26] built from this and used a more advanced representation to reduce the disk space used. Other methods for performing MPC involve homomorphic encryption [3, 12], secret sharing =-=[4]-=-, and ordered binary decision diagrams [28]. A general privacy-preserving computation protocol that uses homomorphic encryption and was designed specifically for mobile devices can be found in [7]. Th... |

92 | Extending oblivious transfers efficiently
- Ishai, Kilian, et al.
- 2003
(Show Context)
Citation Context |

83 | Tasty: tool for automating secure two-party computations
- Henecka, Kögl, et al.
- 2010
(Show Context)
Citation Context ...been studied extensively by the cryptography community, leading to the creation of the first general purpose platform for SFE, Fairplay [32] in the early 2000s. Today, there exist many such platforms =-=[6, 9, 16, 17, 26, 37, 40]-=-. The classic platforms for 2P-SFE, including Fairplay, use garbled circuits. A garbled circuit is a Boolean circuit which is encrypted in such a way that it can be evaluated when the proper input wir... |

63 | Homomorphic evaluation of the AES circuit
- Gentry, Halevi, et al.
- 2012
(Show Context)
Citation Context ...ng memory usage by orders of magnitude. PCF [26] built from this and used a more advanced representation to reduce the disk space used. Other methods for performing MPC involve homomorphic encryption =-=[3, 12]-=-, secret sharing [4], and ordered binary decision diagrams [28]. A general privacy-preserving computation protocol that uses homomorphic encryption and was designed specifically for mobile devices can... |

63 | Billion-gate secure computation with malicious adversaries
- Kreuter, shelat, et al.
- 2012
(Show Context)
Citation Context .... http://dx.doi.org/10.1145/2660267.2660285. was first introduced by Yao in the 1980s [39] and was largely a theoretical curiosity. Developments in recent years have made 2P-SFE vastly more efficient =-=[18, 27, 38]-=-. However, computing a function using SFE is still usually much slower than doing so in a non-privacy-preserving manner. As mobile devices become more powerful and ubiquitous, users expect more servic... |

56 |
Fairplay—a secure two-party computation system
- Malkhi, Nisan, et al.
- 2004
(Show Context)
Citation Context ...proposed in the 1980s in Yao’s seminal paper [39]. The area has been studied extensively by the cryptography community, leading to the creation of the first general purpose platform for SFE, Fairplay =-=[32]-=- in the early 2000s. Today, there exist many such platforms [6, 9, 16, 17, 26, 37, 40]. The classic platforms for 2P-SFE, including Fairplay, use garbled circuits. A garbled circuit is a Boolean circu... |

48 | Asynchronous multiparty computation: Theory and implementation
- Damgård, Geisler, et al.
- 2009
(Show Context)
Citation Context ...been studied extensively by the cryptography community, leading to the creation of the first general purpose platform for SFE, Fairplay [32] in the early 2000s. Today, there exist many such platforms =-=[6, 9, 16, 17, 26, 37, 40]-=-. The classic platforms for 2P-SFE, including Fairplay, use garbled circuits. A garbled circuit is a Boolean circuit which is encrypted in such a way that it can be evaluated when the proper input wir... |

46 | Sepia: privacy-preserving aggregation of multi-domain network events and statistics
- Burkhart, Strasser, et al.
- 2010
(Show Context)
Citation Context ...been studied extensively by the cryptography community, leading to the creation of the first general purpose platform for SFE, Fairplay [32] in the early 2000s. Today, there exist many such platforms =-=[6, 9, 16, 17, 26, 37, 40]-=-. The classic platforms for 2P-SFE, including Fairplay, use garbled circuits. A garbled circuit is a Boolean circuit which is encrypted in such a way that it can be evaluated when the proper input wir... |

42 | Reusable garbled circuits and succinct functional encryption
- Goldwasser, Kalai, et al.
- 2013
(Show Context)
Citation Context ...elat and Shen [38] (hereon sS13) and new methods of partial input gate checks and evaluation, we improve on previous proposals. There are other approaches to the creation of reusable garbled circuits =-=[13, 10, 5]-=-, and previous work on reusing encrypted values in the ORAM model [30, 11, 31], but these earlier schemes have not been implemented. By contrast, we have implemented our scheme and found it to be both... |

41 | Semi-homomorphic encryption and multiparty computation. Cryptology ePrint Archive, Report 2010/514
- Bendlin, Damgrd, et al.
- 2010
(Show Context)
Citation Context ...ng memory usage by orders of magnitude. PCF [26] built from this and used a more advanced representation to reduce the disk space used. Other methods for performing MPC involve homomorphic encryption =-=[3, 12]-=-, secret sharing [4], and ordered binary decision diagrams [28]. A general privacy-preserving computation protocol that uses homomorphic encryption and was designed specifically for mobile devices can... |

32 | A.: Efficient two party and multi party computation against covert adversaries. In: EUROCRYPT - Goyal, Mohassel, et al. - 2008 |

28 | Two-output secure computation with malicious adversaries
- Shelat, Shen
- 2011
(Show Context)
Citation Context |

25 | Quid-pro-quo-tocols: Strengthening semi-honest protocols with dual execution
- Huang, Katz, et al.
- 2012
(Show Context)
Citation Context ...s based on completely different techniques; it enables us to do new kinds of computations, thus expanding the set of things that can be computed using garbled circuits. The Quid-Pro-Quo-tocols system =-=[19]-=- allows fast execution with a single bit of leakage. The garbled circuit is executed twice, with the parties switching roles in the latter execution, then running a secure protocol to ensure that the ... |

24 | A protocol issue for the malicious case of yaos garbled circuit construction - Kiraz, Schoenmakers - 2006 |

23 | Secure function evaluation with ordered binary decision diagrams
- Kruger, Jha, et al.
- 2006
(Show Context)
Citation Context ...nd used a more advanced representation to reduce the disk space used. Other methods for performing MPC involve homomorphic encryption [3, 12], secret sharing [4], and ordered binary decision diagrams =-=[28]-=-. A general privacy-preserving computation protocol that uses homomorphic encryption and was designed specifically for mobile devices can be found in [7]. There are also custom protocols designed for ... |

22 | How to garble RAM programs
- Lu, Ostrovsky
(Show Context)
Citation Context ... and evaluation, we improve on previous proposals. There are other approaches to the creation of reusable garbled circuits [13, 10, 5], and previous work on reusing encrypted values in the ORAM model =-=[30, 11, 31]-=-, but these earlier schemes have not been implemented. By contrast, we have implemented our scheme and found it to be both practical and efficient; we provide a performance analysis and a sample appli... |

16 | Secure computation on the web: Computing without simultaneous interaction
- Halevi, Lindell, et al.
- 2011
(Show Context)
Citation Context ...saries, as a malicious server and last k parties, also malicious, could replay their portion of the computation with different inputs and gain more information than they can with a single computation =-=[15]-=-. However, this is not a problem in our system as at least one of our servers, either the generator or cloud, must be semi-honest due to non-collusion, which obviates the attack stated above. Threat M... |

16 |
PCF: A portable circuit format for scalable two-party secure computation
- Kreuter, Mood, et al.
- 2013
(Show Context)
Citation Context |

15 | Salus: A system for server-aided secure function evaluation
- Kamara, Mohassel, et al.
- 2012
(Show Context)
Citation Context ... run at all without exhausting the memory, which can happen for non-trivial input sizes and algorithms [8]. One way to allow mobile devices to perform SFE is to use a server-aided computational model =-=[8, 22]-=-, allowing the majority of an SFE computation to be “outsourced” to a more powerful device while still preserving privacy. Past approaches, however, have not considered the ways in which mobile comput... |

10 | Secure outsourced garbled circuit evaluation for mobile devices
- Carter, Mood, et al.
- 2012
(Show Context)
Citation Context ... devices (where resource constraints are tight), it is extremely slow – if the computation can be run at all without exhausting the memory, which can happen for non-trivial input sizes and algorithms =-=[8]-=-. One way to allow mobile devices to perform SFE is to use a server-aided computational model [8, 22], allowing the majority of an SFE computation to be “outsourced” to a more powerful device while st... |

10 | Memoryefficient garbled circuit generation for mobile devices
- Mood, Letaw, et al.
- 2012
(Show Context)
Citation Context ... fast and efficient manner is one of the central problems in the area. Previous compilers, from Fairplay to KSS12, were based on the concept of creating a complete circuit and then optimizing it. PAL =-=[33]-=- improved such systems by using a simple template circuit, reducing memory usage by orders of magnitude. PCF [26] built from this and used a more advanced representation to reduce the disk space used.... |

10 | Fast two-party secure computation with minimal assumptions
- shelat, Shen
- 2013
(Show Context)
Citation Context .... http://dx.doi.org/10.1145/2660267.2660285. was first introduced by Yao in the 1980s [39] and was largely a theoretical curiosity. Developments in recent years have made 2P-SFE vastly more efficient =-=[18, 27, 38]-=-. However, computing a function using SFE is still usually much slower than doing so in a non-privacy-preserving manner. As mobile devices become more powerful and ubiquitous, users expect more servic... |

6 |
For your phone only: custom protocols for efficient secure function evaluation on mobile devices. SCN
- Carter, Amrutkar, et al.
- 2013
(Show Context)
Citation Context ...ing [4], and ordered binary decision diagrams [28]. A general privacy-preserving computation protocol that uses homomorphic encryption and was designed specifically for mobile devices can be found in =-=[7]-=-. There are also custom protocols designed for particular privacy-preserving computations; for example, Kamara et al. [21] showed how to scale server-aided Private Set Intersection to billion-element ... |

6 |
Secure two-party computations in ansi c
- Holzer, Franz, et al.
- 2012
(Show Context)
Citation Context |

5 |
Scaling private set intersection to billion-element sets
- Kamara, Mohassel, et al.
- 2013
(Show Context)
Citation Context ...ic encryption and was designed specifically for mobile devices can be found in [7]. There are also custom protocols designed for particular privacy-preserving computations; for example, Kamara et al. =-=[21]-=- showed how to scale server-aided Private Set Intersection to billion-element sets with a custom protocol. Previous reusable garbled-circuit schemes include that of Brandão [5], which uses homomorphi... |

4 |
Secure two-party computation with reusable bit-commitments, via a cut-andchoose with forge-and-lose technique - (extended abstract
- Brandão
- 2013
(Show Context)
Citation Context ...elat and Shen [38] (hereon sS13) and new methods of partial input gate checks and evaluation, we improve on previous proposals. There are other approaches to the creation of reusable garbled circuits =-=[13, 10, 5]-=-, and previous work on reusing encrypted values in the ORAM model [30, 11, 31], but these earlier schemes have not been implemented. By contrast, we have implemented our scheme and found it to be both... |

4 |
Garbled RAM revisited, part II. Cryptology ePrint Archive, Report 2014/083
- Lu, Ostrovsky
- 2014
(Show Context)
Citation Context ... and evaluation, we improve on previous proposals. There are other approaches to the creation of reusable garbled circuits [13, 10, 5], and previous work on reusing encrypted values in the ORAM model =-=[30, 11, 31]-=-, but these earlier schemes have not been implemented. By contrast, we have implemented our scheme and found it to be both practical and efficient; we provide a performance analysis and a sample appli... |

4 |
a general-purpose compiler for private distributed computation
- PICCO
- 2013
(Show Context)
Citation Context |

3 | Expression Rewriting for Optimizing Secure Computation
- Kerschbaum
- 2013
(Show Context)
Citation Context ...i-honest [6, 9, 16, 17, 40] and malicious settings [26, 37]. Optimizations for garbled circuits include the free-XOR technique [25], garbled row reduction [36], rewriting computations to minimize SFE =-=[23]-=-, and pipelining [18]. Pipelining allows the evaluator to proceed with the computation while the generator is creating gates. KSS12 [27] included both an optimizing compiler and an efficient run-time ... |

2 |
How to compress (reusable) garbled circuits. Cryptology ePrint Archive, Report 2013/687
- Gentry, Gorbunov, et al.
- 2013
(Show Context)
Citation Context ...elat and Shen [38] (hereon sS13) and new methods of partial input gate checks and evaluation, we improve on previous proposals. There are other approaches to the creation of reusable garbled circuits =-=[13, 10, 5]-=-, and previous work on reusing encrypted values in the ORAM model [30, 11, 31], but these earlier schemes have not been implemented. By contrast, we have implemented our scheme and found it to be both... |

2 |
Garbled RAM revisited
- Gentry, Halevi, et al.
(Show Context)
Citation Context ... and evaluation, we improve on previous proposals. There are other approaches to the creation of reusable garbled circuits [13, 10, 5], and previous work on reusing encrypted values in the ORAM model =-=[30, 11, 31]-=-, but these earlier schemes have not been implemented. By contrast, we have implemented our scheme and found it to be both practical and efficient; we provide a performance analysis and a sample appli... |

1 | prevents the generator from finding out any information about the evaluator’s input if a selective failure attack transpires. CMTB also uses the commitment technique of Kreuter et al. [27] to prevent the generator from swapping the two possible outputs of - which |